From owner-freebsd-isp Sun Jun 22 15:40:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA26268 for isp-outgoing; Sun, 22 Jun 1997 15:40:16 -0700 (PDT) Received: from weblock.tm.net.my ([202.188.0.180]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA26255 for ; Sun, 22 Jun 1997 15:40:05 -0700 (PDT) Received: from lovebox ([202.184.153.17]) by weblock.tm.net.my (Post.Office MTA v3.1 release PO203a evaluation license) with SMTP id AAA1517 for ; Mon, 23 Jun 1997 06:40:22 +0800 Message-Id: <3.0.32.19970623063113.00941100@mail.tm.net.my> X-Sender: sweeting@mail.tm.net.my (Unverified) X-Mailer: Windows Eudora Pro Version 3.0 (32) To: freebsd-isp@freebsd.org From: chas Subject: duplicate IP = security problem ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 23 Jun 1997 06:40:22 +0800 Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Please excuse this slightly long description but I'm perturbed about possible security problems : ---------------------------------------------------- 10:00 pm - collect mail fine from our FreeBSD-based mailhub. 10:30 pm - a couple of users informed me that they were being refused connection to the mailserver. I tried to download and send mail ... and sure enough, no reply. So, I went to the console and found this error message appear whenever someone tried to collect mail : "/kernel duplicate IP address 202.184.153.15! sent from ethernet address 00:a0:40:29:e8:08" (This also occured if I tried to ping any other machine on our network from the mailserver) My initial thought was that the NIC was going schizo... it's a dodgy 3Com job. But then ifconfig for the mailserver produced : lp0: flags=8810 mtu 1500 ep0: flags=8843 mtu 1500 inet 202.184.153.15 netmask 0xffffff00 broadcast 202.184.153.255 ether 00:c0:4f:db:17:29 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 sl0: flags=c010 mtu 552 tun0: flags=8010 mtu 1500 which means that the duplicate IP was out on another machine. To make sure, I disconnected the mailserver from the network and, sure enough, was still able to ping the IP (that belongs to the mailserver) from one of our webservers. The following is a session on the DEC webserver : ( note : mail.heaven.com.my = 202.184.153.15 = the mailserver. This machine was disconnected from the network during this session ! love.com.my = 202.184.153.17 is just another machine on our network, shown here for a comparison of traceroute output) # ping mail.heaven.com.my PING mail.heaven.com.my (202.184.153.15): 56 data bytes 64 bytes from 202.184.153.15: icmp_seq=0 ttl=255 time=5 ms 64 bytes from 202.184.153.15: icmp_seq=1 ttl=255 time=1 ms ----mail.heaven.com.my PING Statistics---- 2 packets transmitted, 2 packets received, 0% packet loss round-trip (ms) min/avg/max = 1/3/5 ms ie. I could ping a machine that was supposedly offline. # traceroute mail.heaven.com.my traceroute to mail.heaven.com.my (202.184.153.15), 30 hops max, 40 byte packets 1 * * * 2 * weird traceroute results ! compare with : # traceroute love.com.my traceroute to love.com.my (202.184.153.17), 30 hops max, 40 byte packets 1 lovebox (202.184.153.17) 0 ms 0 ms 1 ms and then suddenly : # ping mail.heaven.com.my PING peace.com.my (202.184.153.15): 56 data bytes ----peace.com.my PING Statistics---- 5 packets transmitted, 0 packets received, 100% packet loss it had disappeared ! --------------------------------------------------------------- So, my questions are : 1) Could it be possible for someone to be using our IP ? And hence be on our network ? 2) What could I do if this happens again to gain control of the IP again ? 3) Any other explanations or advice ? Thank you very much. chas